I've started a thread on the topic some time ago on the php list, after some extensive reading and testing and these were the main conclusions: 1.1. ALWAYS pass "addslashed" values and always pass them quoted in the SQL statement. That is "insert into table1 set id='$id'" even if $id is known to always have numeric values. That's because you may get an $id='; delete where 1=1'. This specific situation results in an error message in MySQL, but... better safe than sorry. If you do this, make sure you addslshes($id) beforehand - otherwise you may get an $id="'; delete where 1=1" and that would still be potentially dangerous. An alternative to this would be 1.2. addslashes() to text values and for numeric values just do an "$id=abs($id)" beforehand - this elimiates text from $id, evaluating it to an integer/float.
2. Make sure you are extra careful with delete statements. In generic statements, your main concern should be general security, so that people can't access data they're not supposed to (that's because, as I said, passing two SQL statements usually issues an error). In delete statements however, you may get for your "delete from table1 where id=$id" a $id of the form "1 or 1=1" which would delete you whole table. 3. OT, but you should be very extra super careful when using exec() Well, that's about all there is to it (in my opinion anyways). The big problem is sticking to it and always use these. The problem is even bigger if you develop for open-source because... You get it... Bogdan PS. Only now have I noticed you are using PostgreSQL. Never worked with it but it seems it's able to accept multiple queries from a single PHP call, so you should seriously consider points 1.1 and 1.2. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
